CVE-2015-5723
high
CVSS v3
7.8
CVSS v2
7.2
VIR risk
7.8
Description
Doctrine Security Misconfiguration Vulnerability
Predictions
Exploit likelihood
75%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-5723
Vendor advisory: cve@mitre.org — http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.4.8-1 |
| debian | bullseye | fixed | 2.4.8-1 |
| debian | forky | fixed | 2.4.8-1 |
| debian | sid | fixed | 2.4.8-1 |
| debian | trixie | fixed | 2.4.8-1 |
| debian | 7.0 | affected | |
| debian | 8.0 | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | doctrine/annotations | <1.2.7 | 1.2.7 |
| Packagist | doctrine/cache | >=1.4.0,<1.4.2 | 1.4.2 |
| Packagist | doctrine/common | <2.4.3 | 2.4.3 |
| Packagist | doctrine/common | >=2.5.0-stable,<2.5.1 | 2.5.1 |
| Packagist | doctrine/orm | >=2.5.0,<2.5.1 | 2.5.1 |
| Packagist | doctrine/mongodb-odm | <1.0.2 | 1.0.2 |
| Packagist | doctrine/mongodb-odm-bundle | <3.0.1 | 3.0.1 |
| Packagist | zendframework/zendframework1 | >=1.12.0,<1.12.16 | 1.12.16 |
| Packagist | zendframework/zend-cache | >=2.5.0,<2.5.3 | 2.5.3 |
| Packagist | aws/aws-sdk-php | >=3.0.0,<3.2.1 | 3.2.1 |
| Packagist | doctrine/cache | >=1.0.0,<1.3.2 | 1.3.2 |
| Packagist | zendframework/zend-cache | >=2.4.0,<2.4.8 | 2.4.8 |
| Packagist | zendframework/zendframework | >=2.4.0,<2.4.8 | 2.4.8 |
| Packagist | zfcampus/zf-apigility-doctrine | >=1.0.0,<1.0.3 | 1.0.3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| zend | zend-cache | {"endIncluding":"2.4.7"} | |
| zend | zend-cache | 2.5.0 | |
| zend | zend-cache | 2.5.1 | |
| zend | zend-cache | 2.5.2 | |
| doctrine-project | object_relational_mapper | {"endIncluding":"2.4.7"} | |
| doctrine-project | object_relational_mapper | 2.5.0 | |
| doctrine-project | doctrinemongodbbundle | 3.0.0 | |
| zend | zend_framework | {"endIncluding":"2.4.7"} | |
| doctrine-project | common | {"endIncluding":"2.4.2"} | |
| doctrine-project | common | 2.5.0 | |
| doctrine-project | annotations | {"endIncluding":"1.2.6"} | |
| doctrine-project | mongodb-odm | {"endIncluding":"1.0.1"} | |
| doctrine-project | cache | {"endIncluding":"1.3.1"} | |
| doctrine-project | cache | 1.4.0 | |
| doctrine-project | cache | 1.4.1 | |
| zend | zf-apigility-doctrine | {"endIncluding":"1.0.2"} | |
References
- http://framework.zend.com/security/advisory/ZF2015-07
- http://www.debian.org/security/2015/dsa-3369
- http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/
- https://security-tracker.debian.org/tracker/CVE-2015-5723
- https://nvd.nist.gov/vuln/detail/CVE-2015-5723
- https://framework.zend.com/security/advisory/ZF2015-07
- https://github.com/FriendsOfPHP/security-advisories/blob/master/aws/aws-sdk-php/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/cache/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/doctrine/orm/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-cache/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5723.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/zfcampus/zf-apigility-doctrine/CVE-2015-5723.yaml
- https://github.com/aws/aws-sdk-php/releases/tag/3.2.1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67
- https://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.